-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-20:22.callout                                        Errata Notice
                                                          The FreeBSD Project

Topic:          Race condition in callout CPU migration

Category:       core
Module:         callout
Announced:      2020-12-01
Affects:        FreeBSD 12.1 and 12.2
Corrected:      2020-11-26 14:57:30 UTC (stable/12, 12.2-STABLE)
                2020-12-01 19:37:33 UTC (releng/12.2, 12.2-RELEASE-p1)
                2020-12-01 19:37:33 UTC (releng/12.1, 12.1-RELEASE-p11)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The callout(9) kernel subsystem is used by other kernel subsystems to request
execution of a function following a specified timeout.  callout(9) implements
an interface which allows a pending callout to be stopped.

II.  Problem Description

Callouts may be bound to a specific CPU, in which case that CPU is
responsible for raising the timer interrupt which schedules execution of the
callout.

A kernel thread may attempt to stop a callout while it is actively executing,
in which case the thread goes to sleep until execution has completed.  In the
meantime the callout may be re-scheduled and re-executed on a different CPU.
In this scenario, when the sleeping thread finally completes removal of the
callout from some internal data structures, it may modify the wrong CPU's
data structures and thus leave them in an invalid state.

III. Impact

The bug may result in kernel panics under some workloads, typically in the
softclock threads.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.2]
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch.asc
# gpg --verify callout.12.2.patch.asc

[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch.asc
# gpg --verify callout.12.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r368057
releng/12.2/                                                      r368254
releng/12.1/                                                      r368254
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:22.callout.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJUHxAAg1Mw+GeweWrKv/qaDymHW6YTGF8/y1qJ9YQKhVZ4QCtFMX2E467Slh35
sVOtfVsfUxKmwsKfdEM93sw9uSjj6///TodhF9vJMKGk/uVpF+PHrnFLtD+2VONs
jhAtH1R5tatIQEZeijaGBGizxXQRN2y2PqUQfKBNIqO5u06rG3KonNI+Cx1TGKm1
4R0ua06s0i2WpTsdW6AMszJqD3WbvlV7W5aM5pRfWtGM/OFksBKp/ScJ4J/MdOhh
11g4RsbvPvxGwBMad32TDV9Npjmkcjy65Ro92RUHAkDOT9Eftt18w1JYNaOxl+/p
fcS7cLBjdXJgvARJ57turXEiQT03SemG7yu9mr3SB//2Kh/RNVE5KFZev+i1kZOe
98NS8+AYNyN3ovg5ceESuXBpVM+T+mFMu6NLfNFSfgfd0OneNSiiB0uDt2B07TWN
LM0bz3vrq91GSnf7EZWppx/f3e8wIT0lBXcpJMJo9T56096ewoPMx9C5/RNqcrpL
LskXRnwi8od0o8nw7nDWYlIGiAfWkwzXm5slvKA0v2c9qVsyB7OWtGtS+YonOb4c
Eyc5b14MoRb9Y4J/fZHm3gWDVP9OQDWxyRTXvLZq8QCYmOYFoXspIM6kM5geOIZH
S/X3Xl671coCtCJcQVQJShMwgEcEeUCtJcKEOJ+gC3f60E0aLS0=
=l7SY
-----END PGP SIGNATURE-----
